Free CyberAB CMMC-CCA Exam Questions

While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How would you score the contractor’s implementation of CMMC practice IA.L2-3.5.5 – Identifier Reuse?

A. Not Met (-5 points)

B. Met (+1 point)

C. Met (+2 points)

D. Met (+5 points)

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. As an assessor evaluating the implementation of AU.L2-3.3.4 – Audit Failure Alerting, which of the following would be a key consideration regarding theevidence provided by the contractor?

A. Ensuring the defined alert notification methods (e.g., email, SMS) are secure and encrypted

B. Verifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios

C. Determining if the documented personnel roles for alert notification align with the organization's hierarchy

D. Checking if the alert notification process integrates with third-party monitoring services

When assessing an OSC’s compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated. While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor’s cybersecurity team can use to address more serious incidents. From the scenario,the contractor has met all the required objectives for CMMC practice IR.L2-3.6.2 – Incident Reporting, meaning its implementation of the said practice will be scored MET with a total of 5 points. For how long must the OSC retain the incident records?

A. 72 hours

B. 90 days

C. 90 hours

D. 72 days

When assessing a contractor’s implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. In assessing the contractor's implementation of AC.L2-3.1.14 – Remote Access Routing, what must you determine?

A. The contractor manages access control points

B. Managed access control points are identified, implemented, and remote access is routed through these managed network access control points

C. All remote access is monitored

D. All users are authenticated before being granted remote access

You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?

A. Institute mandatory overtime for the engineer to complete tasks faster

B. Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties

C. Invest in more powerful development machines

D. Increase the engineer's salary to incentivize careful work

You have been hired to assess a contractor’s implementation of remote access capabilities for information systems that handle CUI. While interviewing the network administrator, you realize they perform privileged activities remotely when at alternate worksites. Which of the following is the BEST action the contractor can take to address the network administrator's remote execution of privileged activities, as per CMMC practice AC.L2-3.1.15 – Privileged Remote Access?

A. Implement multifactor authentication before authorizing remote access sessions, regardless of privilege level

B. Prohibit the remote execution of privileged commands and remote access to securityrelevant information entirely

C. Log and monitor all remote sessions

D. Limit remote access privileges to read-only activities and prohibit any remote execution of privileged commands

You are assessing a contractor’s implementation for CMMC practice MA.L2-3.7.4 – Media Inspection by examining their maintenance records. You realize the maintenance logs identify a repeating problem. A recently installed central server has been experiencing issues affecting the performance of the contractor’s information systems. This is confirmed by your interview with the contractor’s IT team. You requested to investigate the server, and the IT team agreed. On the server, there is a file named conf.zip that gets your attention. You decide to open the file in an isolated computer for further review. To your surprise, the file is a .exe used when testing the server for data exfiltration. How should this incident be handled?

A. By immediately reporting it to the FBI's Cyber Division

B. Decommissioning the server and installing a new one

C. In accordance with the incident response plan

D. By sandboxing the malicious code and continuing with business as usual

During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a centralfirewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario describes using a central firewall for network security. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 – Connections Termination, for the remote access application?

A. Creating firewall rules to identify and terminate connections associated with the CUI access application that have been inactive for a predefined period

B. Encrypting all traffic between the user device and the server to protect CUI in transit

C. Implementing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activity on the server

D. Blocking all incoming traffic to the server hosting the CUI access application, except from authorized IP addresses

A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 – Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 – Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-3.1.19 – Encrypt CUI on Mobile?

A. Executives in the company

B. Personnel with access control responsibilities for mobile devices

C. IT helpdesk staff who troubleshoot basic mobile device issues

D. Staff in the Human Resources department

CMMC practice PS.L2-3.9.1 – Screen Individuals requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they informed you that before an individual is hired, they submit their information through a service that performs criminal and financial checks. How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1 – Screen Individuals, objective [a]?

A. More information is needed

B. Not Met

C. Not Applicable

D. Met